Most FTSE 100 boards kept in the dark about cyber resilience plans

Infosec bods worry it could be used against firms if disclosed

Only one in five FTSE 100 companies disclose testing of online business protection plans.

Most (57 per cent) of FTSE 100 companies talk about their overall crisis management, contingency or disaster recovery plans within their annual reports but few in comparison mention cybersecurity. Just 21 per cent of UK Blue Chip businesses regularly share security updates with the board at least twice a year, according to a study by management consultancy Deloitte.

Cyber risk testing would include services such as "ethical hacking" (AKA penetration testing) to find vulnerabilities in their IT systems. Security testing will become even more important with the advent of the EU's General Data Protection Regulation, due to swing into effect in June, under which data breaches in the UK and other member states will be punished with much tougher financial sanctions.

Phill Everson, head of cyber risk services at Deloitte UK, said: "Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20 per cent of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified."

Rob Norris, VP head of enterprise and cybersecurity EMEIA at Fujitsu, argued that a reluctance to reveal cybersecurity plans can often be explained.

"Whilst the forthcoming GPDR will require organisations be honest when a breach takes place, forcing companies to disclose details of specific cyber risk testing may be more difficult as it can allow hackers to understand what defences a company has in place.

"Companies need to ensure they are at the very least reporting openly and honestly about their cyber risk testing to the board."

Brian Honan, founder and head of Ireland's first CSIRT and special adviser on internet security to Europol, agreed that (by itself) firms not disclosing their security testing isn't much of a concern.

"It is quite common for companies not to disclose their testing," Honan told El Reg. "They may fear the info can be used by nefarious actors for their needs or it may draw negative public attention."

But infosec veteran Stephen Bonner said: "Testing is essential, disclosure is a choice, but increasingly firms realise transparency breeds trust. And soon not disclosing may be indistinguishable from not testing."

Despite the small proportion of FTSE 100 companies providing security updates to the board, 89 per cent recognise cyber as a "principal risk" and identified a number of consequences in the event of a breach. Disruption to business and operations was of greatest concern but damage to reputation and financial loss occasioned by a breach also featured as a worry.

Deloitte found 8 per cent of companies had a member of the board with specialist technology or cybersecurity experience, up from 5 per cent last year. The figure is matched by the number of companies that also disclose having a chief information security officer (CISO) in the executive team this year.

The much-publicised skills gap may effect the ability of large companies to increase cybersecurity expertise, according to Fujitsu's Norris. "Many organisations will be using cyber threat intelligence (CTI) as an early warning system to help identify and block potential threats before they escalate and become problems," he said. "But with the skills gap affecting IT departments in particular, the board should be made aware if their organisation is in need of additional support, and this can only come from regular security updates." ®